External SAP HANA PSE File and Certificate Management
Certificates can also be stored and managed within files located in the file system of the SAP HANA instance. By default, they’re stored in the following path:
/hana/shared/<SID>/HDB<instance number>/<host name>/sec
<SID> = SAP HANA system SID
<instance number> = 2-digit instance number
<host name> = configured host name of the SAP HANA system
Example path:
/hana/shared/PJ5/HDB25/w4-hana-05/sec
---
13.1 SSL Certificates
Within this path, you’ll find several files with a .pse extension. For example:
sapsrv.pse
saplogon.pse
sapslcs.pse
sapsys.pse
sap_system_pki_instance.pse
sap_system_pki_internal.pse
sapsrv_internal.*.pse
Each file has an intended purpose, usually storing public/private certificates used for authentication or TLS secure communication.
Figure 13.2 outlines the file purposes:
Authentication: SAML, X.509, SAP Assertion Ticket
Transport Security Layer (TLS/SSL): Client ODBC/JDBC, Client HTTP (XS), Internal Communication
---
Items in the Authentication section are related to external authentication providers.
Items in the TLS/SSL section are related to:
Client protocols
XS engine’s web SSL
Internal server communications
There are two main ways to configure PSE files:
1. Command-line using SAPGENPSE tool
2. Web-based SAP Web Dispatcher Administration GUI
Most users prefer the GUI option for ease of use.
---
13. Web Dispatcher Administration
To access the Web Dispatcher Admin GUI, the user must have the role:
sap.hana.xs.wdisp.admin::WebDispatcherAdmin
Access URL example:
http://<SAP_HANA_XS_HOST>:80(<instance #>)/sap/hana/xs/wdisp/admin/
Example:
http://w4-dh-hana19e-corp.root.internal.com:8000/sap/hana/xs/wdisp/admin
Authentication is required with SAP HANA internal user credentials.
Figure 13.3 shows the SAP Web Dispatcher Monitor landing page.
---
Figure 13.4 – PSE Management Area in Web Dispatcher
The interface has a Manage PSE dropdown where you select the PSE file to manage.
With a PSE selected, the following actions are available:
Interface Option Description
Recreate PSE Resets to default state, removes all certificates from trust store
Delete PSE Deletes selected PSE from the file system
Create New PSE Opens a window to define encryption settings
Export Own Certificate Opens a window with the selected PSE’s certificate
Create Certificate Request Generates new certificate request text
Import CA Response Opens a window to paste CA’s certificate response
Import Certificate Opens a window to paste/import trusted certificate
Table 13.2: Web Dispatcher PSE Management Options
---
Configuring and Managing Certificates
Certification requirements may vary by SAP HANA version.
Check official SAP documentation: